Oz govt loses Stay Smart Online user details via Australia Post

update The Australian Government has lost a DVD containing the details of users subscribing to its Stay Smart Online alerts service after a contractor sent the information through Australia Post.

Stay Smart Online notified users of the loss by email yesterday, stating that the Department of Broadband, Communications and the Digital Economy (DBCDE) had been advised by one of its contractors that a DVD containing subscriber information had been lost in the mail. The department has since told ZDNet Australia that this contractor was AusCERT, and that it was responsible for the security of the lost information. The subscription information contained usernames, email addresses, memorable phrases (used as password reminders) and cryptographically hashed passwords.

DBCDE is in the process of switching which contractors it uses for the alerts service, and, as part of the handover process, AusCERT placed the subscriber information on a DVD, and posted it on 11 April, according to the department's email.

The DVD was sent via Australia Post's express service, which has two options for delivery, one of which has tracking. ZDNet Australia has asked the department whether the DVD was tracked, and why it was necessary to send the information via post, but had not received a reply at the time of writing.

Despite the incident, DBCDE has stated that it believes the information has not been found or misused, and that there is no privacy risk, stating that it had only emailed users to remain consistent with best practice for privacy matters.

Ironically, DBCDE also advises users to visit the Stay Smart Online website for further information on password security and how to be safe and secure online.

AusCERT's contract ended at the end of April 2012, and the alert service is now being managed by two different contractors.

Updated 2.12pm, 8 July 2012: added further information from DBCDE on the contractor responsible.